Thanks for your answer, Robert. > Wait, is the "normal" link interface also available in the namespace? > If yes, can you show the configuration file used for Squid? Are you sure > you're binding Squid correctly so that it is reachable over the > Wireguard interface, or that it sends its responses over the Wireguard > interface?
Nope. That namespace only olds the VPN interface. I'm exploiting this neat trick for Wireguard: https://www.wireguard.com/netns/#the-new-namespace-solution, where you first create the wg0 interface in the "normal / physical namespace", then you move it into the dedicated one and things work :) > That doesn't necessarily mean that it runs in the wrong namespace, if > the "standard" link is available in the namespace, it might "just" be > binding to the wrong interface. For example `tcp_outgoing_address` are > configurations regarding that behavior. Well, sudo `ip netns pids vpn` (`vpn` is the namespace name) doesn't show any squid related PID, while it does show the PID of the tinyproxy process. The PID in the squid log below (`Squid Parent: (squid-1) process 107287 started`) is not returned by the `ip netns pids vpn` command. I think it's related on how squid forks or something... >> I'd like to run squid inside this network namespace. > Can you show the service file you're using for Squid? ❯ systemctl cat squid # /usr/lib/systemd/system/squid.service ## Copyright (C) 1996-2025 The Squid Software Foundation and contributors ## ## Squid software is distributed under GPLv2+ license and includes ## contributions from numerous individuals and organizations. ## Please see the COPYING and CONTRIBUTORS files for details. ## [Unit] Description=Squid Web Proxy Server Documentation=man:squid(8) After=local-fs.target network.target network-online.target nss-lookup.target [Service] Type=notify PIDFile=/run/squid.pid ExecStartPre=/usr/sbin/squid --foreground -z ExecStart=/usr/sbin/squid --foreground -sYC ExecReload=/bin/kill -HUP $MAINPID KillMode=mixed NotifyAccess=all [Install] WantedBy=multi-user.target # /etc/systemd/system/squid.service.d/override.conf [Service] NetworkNamespacePath=/run/netns/vpn BindReadOnlyPaths=/etc/netns/vpn/resolv.conf:/etc/resolv.conf:norbind [Unit] After=vpn.service BindsTo=vpn.service ❯ cat /etc/squid/squid.conf acl SSL_ports port 443 acl Safe_ports port 80 http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager http_access allow localhost # The two deny rules below are unnecessary in this default configuration # because they are followed by a "deny all" rule. However, they may become # critically important when you start allowing external requests below them. # Protect web applications running on the same server as Squid. They often # assume that only local users can access them at "localhost" ports. http_access deny to_localhost # Protect cloud servers that provide local users with sensitive info about # their server via certain well-known link-local (a.k.a. APIPA) addresses. http_access deny to_linklocal # And finally deny all other access to this proxy http_access deny all http_port 3129 cache deny all coredump_dir /var/cache/squid access_log stdio:/dev/null ❯ journalctl -b -u squid -e Jan 04 23:43:17 gagazet systemd[1]: Starting Squid Web Proxy Server... Jan 04 23:43:17 gagazet squid[107280]: 2026/01/04 23:43:17| Processing Configuration File: /etc/squid/squid.conf (depth 0) Jan 04 23:43:17 gagazet squid[107280]: 2026/01/04 23:43:17| Created PID file (/run/squid.pid) Jan 04 23:43:17 gagazet squid[107280]: Squid Parent: will start 1 kids Jan 04 23:43:17 gagazet squid[107280]: Squid Parent: (squid-1) process 107282 started Jan 04 23:43:17 gagazet squid[107282]: 2026/01/04 23:43:17 kid1| Processing Configuration File: /etc/squid/squid.conf (depth 0) Jan 04 23:43:17 gagazet squid[107282]: 2026/01/04 23:43:17 kid1| Set Current Directory to /var/cache/squid Jan 04 23:43:17 gagazet squid[107282]: 2026/01/04 23:43:17 kid1| Creating missing swap directories Jan 04 23:43:17 gagazet squid[107282]: 2026/01/04 23:43:17 kid1| No cache_dir stores are configured. Jan 04 23:43:17 gagazet squid[107280]: Squid Parent: squid-1 process 107282 exited with status 0 Jan 04 23:43:17 gagazet squid[107280]: 2026/01/04 23:43:17| Removing PID file (/run/squid.pid) Jan 04 23:43:17 gagazet squid[107283]: Processing Configuration File: /etc/squid/squid.conf (depth 0) Jan 04 23:43:17 gagazet squid[107283]: Created PID file (/run/squid.pid) Jan 04 23:43:17 gagazet squid[107283]: Squid Parent: will start 1 kids Jan 04 23:43:17 gagazet squid[107283]: Squid Parent: (squid-1) process 107287 started Jan 04 23:43:17 gagazet squid[107287]: Processing Configuration File: /etc/squid/squid.conf (depth 0) Jan 04 23:43:17 gagazet squid[107287]: Set Current Directory to /var/cache/squid Jan 04 23:43:17 gagazet squid[107287]: Starting Squid Cache version 7.3 for x86_64-pc-linux-gnu... Jan 04 23:43:17 gagazet squid[107287]: Service Name: squid Jan 04 23:43:17 gagazet squid[107287]: Process ID 107287 Jan 04 23:43:17 gagazet squid[107287]: Process Roles: worker Jan 04 23:43:17 gagazet squid[107287]: With 1024 file descriptors available Jan 04 23:43:17 gagazet squid[107287]: Initializing IP Cache... Jan 04 23:43:17 gagazet squid[107287]: DNS IPv6 socket created at [::], FD 7 Jan 04 23:43:17 gagazet squid[107287]: DNS IPv4 socket created at 0.0.0.0, FD 8 Jan 04 23:43:17 gagazet squid[107287]: Adding nameserver 10.128.0.1 from /etc/resolv.conf Jan 04 23:43:17 gagazet squid[107287]: Adding nameserver fd7d:76ee:e68f:a993::1 from /etc/resolv.conf Jan 04 23:43:17 gagazet squid[107287]: Logfile: opening log stdio:/dev/null Jan 04 23:43:17 gagazet squid[107287]: Local cache digest enabled; rebuild/rewrite every 3600/3600 sec Jan 04 23:43:17 gagazet squid[107287]: Store logging disabled Jan 04 23:43:17 gagazet squid[107287]: Swap maxSize 0 + 262144 KB, estimated 20164 objects Jan 04 23:43:17 gagazet squid[107287]: Target number of buckets: 1008 Jan 04 23:43:17 gagazet squid[107287]: Using 8192 Store buckets Jan 04 23:43:17 gagazet squid[107287]: Max Mem size: 262144 KB Jan 04 23:43:17 gagazet squid[107287]: Max Swap size: 0 KB Jan 04 23:43:17 gagazet squid[107287]: Using Least Load store dir selection Jan 04 23:43:17 gagazet squid[107287]: Set Current Directory to /var/cache/squid Jan 04 23:43:17 gagazet squid[107287]: Finished loading MIME types and icons. Jan 04 23:43:17 gagazet squid[107287]: HTCP Disabled. Jan 04 23:43:17 gagazet squid[107287]: Squid plugin modules loaded: 0 Jan 04 23:43:17 gagazet squid[107287]: Adaptation support is off. Jan 04 23:43:17 gagazet squid[107287]: Accepting HTTP Socket connections at conn3 local=[::]:3129 remote=[::] FD 10 flags=9 listening port: 3129 Jan 04 23:43:17 gagazet systemd[1]: Started Squid Web Proxy Server. On Sun, Jan 4, 2026 at 4:35 PM Robert 'Bobby' Zenz < [email protected]> wrote: > > I have a network namespace which runs a Wireguard VPN (only). > > > > `` > > ❯ ip l > > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN > > mode DEFAULT group default qlen 1000 > > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > > 3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state > > UNKNOWN mode DEFAULT group default qlen 1000 > > link/none` > > ``` > > Wait, is the "normal" link interface also available in the namespace? > If yes, can you show the configuration file used for Squid? Are you sure > you're binding Squid correctly so that it is reachable over the > Wireguard interface, or that it sends its responses over the Wireguard > interface? > > > But if I do the same with the systemd unit of squid, it doesn't work. > > The proxy process still runs within the standard namespace (if I curl > > using the proxy, the IP is the one of the standard namespace) > > That doesn't necessarily mean that it runs in the wrong namespace, if > the "standard" link is available in the namespace, it might "just" be > binding to the wrong interface. For example `tcp_outgoing_address` are > configurations regarding that behavior. > _______________________________________________ > squid-users mailing list > [email protected] > https://lists.squid-cache.org/listinfo/squid-users > -- .. /**\ /****\ /\****/\ / \**/ \ / \/ \ / /\ /\ / \ / \ / \ / \ / \/ \ \ /\ /\ / \ / \ / \ / \/ \/ \/ /\ / +\ \+ / \/ rdb.is Book a meeting with me: https://calendly.com/rdbisme
_______________________________________________ squid-users mailing list [email protected] https://lists.squid-cache.org/listinfo/squid-users
